I run a small mailing list that has been subject to problems similar to the recent spate of "unscrives". Apparently there is a list of mailing lists circulating the warez boards along with scripts for spoofing subscription requests. Over the past few months my list
Ah, KaNN3d t00Lz: the incompitent kRak3r'z best friend. :)
Crypto relevance: This attack will be eliminated when more mail agents support public key crypto and the mailing list software can be modified to check signatures on subscription requests.
But you're presupposing a public key distribution mechanism such that the list software can get a key for that user. And that that's a valid key for that user, not a key that J Random kRak3r didn't just send in for his clueless AOL victim before said victim established a public key. At any rate, has something like this been put into the current PGPdomo? I don't think that it would be too hard to hack in a query to a web keyserver to grab a key. If the initial request's not signed, maybe include a note about how to go about getting PGP and putting a key on the keyserver (or a pointer to instructions on the web). --- Fletch __`'/| fletch@ain.bls.com "Lisa, in this house we obey the \ o.O' ______ 404 713-0414(w) Laws of Thermodynamics!" H. Simpson =(___)= -| Ack. | 404 315-7264(h) PGP Print: 8D8736A8FC59B2E6 8E675B341E378E43 U ------